Using lookup table to search events but having some issues:
|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | fields DEVICE_NAME, INTERFACE | format
results to:
( ( DEVICE_NAME="ROUTERA" AND INTERFACE="xe-5/2/0" ) OR ( DEVICE_NAME="ROUTERB" AND INTERFACE="xe-9/3/1" ) OR ( DEVICE_NAME="ROUTERC" AND INTERFACE="xe-6/7/0" ) ... etc
However, I found out that DEVICE_NAME is not a defined field for all routers, so I tried doing this:
|inputlookup router_lookup | rename Router_Name as DEVICE_NAME Router_Interface as INTERFACE | eval Interface_Name=DEVICE_NAME." AND ".INTERFACE | fields Interface_Name | rename Interface_Name as query | format
results to:
( ("ROUTERA AND xe-5/2/0" ) OR ( "ROUTERB AND xe-9/3/1" ) OR ( "ROUTERC AND xe-6/7/0" ) ... etc
this is NOT the result I was looking for since they have quotation marks.
this is what I need:
( (ROUTERA AND xe-5/2/0 ) OR (ROUTERB AND xe-9/3/1 ) OR (ROUTERC AND xe-6/7/0) ... etc
thank you in advance!
↧